topic RE: 802.1X supplicant on access switches for uplink authentication (for security & automation) in Hero Product Suggestions

802.1X supplicant on access switches for uplink authentication (for security & automation)

Volker_Kull — Wed, 11 Nov 2020 18:58:00 GMT

APs are mostly authenticated at a switchport to use an automatic configuration of switchport behaviours (VLANs, port authentication, ..) like I mentioned in my “AP-Aware” idea. We need this function as well for authentication and automation to connect access switches to core/distribution/fabric switches. This ist for security reasons in case of using distributed switches in office, production, IOT/OT, … to prevent unauthorized usage uf the uplink ports as well as a basic function to use automation in a distributed environment.

This is not new to use a 802.1X supplicant on access devices (like APs) to connect to switchports and use automation for on-/offboarding.

More and more small devices in production, healthcare, education environments for headless devices, IOT/OT force us to deliver an easy to deploy and use environment.

Volker

RE: 802.1X supplicant on access switches for uplink authentication (for security & automation)

AlexN — Fri, 04 Dec 2020 23:02:00 GMT

In fabric environment is’t already the case. With auto-sense feature added in 8.3 for Zero Touch Fabric, it will cater for similar scenario.

Mechanism there will not be 802.1x specific, however from security perspective you can use:

ISIS HMAC
Fabric Attach authentication
MACSEC keys

RE: 802.1X supplicant on access switches for uplink authentication (for security & automation)

Volker_Kull — Fri, 04 Dec 2020 23:10:00 GMT

Hello AlexN!

Fabric is not everywhere and cloud as well.

In our customer base 99% of access switches are EXOS, and more than 50% of the distribution/core switches are EXOS as well.

Volker

RE: 802.1X supplicant on access switches for uplink authentication (for security & automation)

AlexN — Sat, 05 Dec 2020 00:41:00 GMT

That means there are substantial benefits to introduce them to Fabric, right ?

In legacy networking scenarios achieving same automation levels can be more challenging however not impossible: for instance combination of ZTP+ and OSPF/BGP authentication would do similar trick with EXOS.

So is your request limited to only EXOS then ?

BR,

Alex

RE: 802.1X supplicant on access switches for uplink authentication (for security & automation)

Volker_Kull — Sat, 05 Dec 2020 01:05:00 GMT

We are working on getting fabric into the field as much as possible. But sometimes the field of application is very static and two completely contrary OS completely overwhelm the customer.
We want a continuous functional parity over the whole product portfolio, therefore this is not only limited to EXOS.
All switches or APs (AH, WING7) should be combinable with all switches and should be connected and the environment should be configured automatically. This should be uniformly configurable from the XMC/XIQ.

Volker

RE: 802.1X supplicant on access switches for uplink authentication (for security & automation)

Roger_Lapuh — Thu, 10 Dec 2020 23:25:00 GMT

Volker, we agree with that statement, the thought is to bring those auto-sense concepts also to EXOS (no committment yet). Would you think most of those deployments use some sort of NAC, or are you looking for a solution without NAC in place?

Roger

RE: 802.1X supplicant on access switches for uplink authentication (for security & automation)

Volker_Kull — Sat, 12 Dec 2020 04:09:00 GMT

Roger,

we need both. Using standards (802.1X) this would not be a problem.

With NAC, we have nearly all features we need.

Without NAC it´s a thing on the switch. With UPM we have good tools on EXOS. VSP ? nothing I know…

Issues: Deployment of UPM scripts from XIQ is a switch by switch operation via manual SSH setup per switch (You will not do this for >50 switches). Deployment of python scrips is not possible because it´s a separate file and not supported with XiQ. XMC could do everything of that and much more ..

But remember it´s not only about authentication! As I mentioned in the AP-Aware feature it is more to prepare a Port for uplink use and back to start after disconnecting the uplink. It`s not quite easy and we need to change the view and focus and end-to-end approach and not getting stuck in an endless per feature discussion. Think in use cases...and what customer will love to be and stay at Extreme...

Volker

RE: 802.1X supplicant on access switches for uplink authentication (for security & automation)

Roger_Lapuh — Mon, 14 Dec 2020 16:52:00 GMT

VOSS 8.3 will introduce Auto-Sense Port capabilities. A switch that is booted from default will have all ports automatically auto-sense enabled (or one can turn on auto-sense manually).

On an Auto-Sense port APs that are Fabric Attach (FA) capable (FA is also coming to AH APs)will be automatically authenticated through FA and will automatically put into an onboarding ISID, such that the AP can reach its management infrastructure. At that point FA will be used to signal SSID to VLAN/ISID mappings.

This is all without any NAC in place.

What I described here is supported for any FA capable device and similarly works for IP Phones.

Auto-sense is expandable, if we see additional value add that we could be providing, we certainly be open to look into it.

Roger

RE: 802.1X supplicant on access switches for uplink authentication (for security & automation)

Volker_Kull — Tue, 15 Dec 2020 00:16:00 GMT

Roger,

this is all about single features. We need to have an end-to-end solution no matter what features will be used. The customer want to connect a switch, AP, server, what ever to an uplink and requires a complete on- and offboarding process: Port, LAG, VLANs, Authentication, ACL, QoS, ….

On- and offboarding means not only to provide a valid port configuration via script or workflow, it means a reconfiguration of the port after disconnect in default state.

FA is a feature for limited products supporting FA. It´s a possibility but what to do without FA on the uplink?

RE: 802.1X supplicant on access switches for uplink authentication (for security & automation)

Roger_Lapuh — Tue, 22 Dec 2020 22:55:00 GMT

Volker, auto-sense does exactly that:

It turns a port into an NNI when another VSP is connected
it tuns a port into an FA links if an FA device is connected
it turns a port into an IP Phone port if an IP phone is detected through LLDP-MED
it turns a port into a UNI port if non of the above is detected
- as a UNI it can be run without NAC, then all devices end up in the secure guest/onboarding PVLAN 4048, ISID 15999999
- as a UNI with NAC devices can be assigned into their own VLAN/ISID through Radius with MHMV per host (MAC).
if any of the above devices are removed, then the port turns into default state.

Roger

RE: 802.1X supplicant on access switches for uplink authentication (for security & automation)

StephanH — Thu, 21 Jan 2021 23:50:00 GMT

Hello,

since this feature is missing we have just failed to replace 140 HP switches with XOS switches. HP (now Aruba) has supported this feature for years.

Specifically, this is a project where Fiber to the Desk is in use and therefore there is a switch in every office. To prevent an employee from being on the network after unplugging the switch, authentication must also be performed on the uplink, not just on the access.

Here a screenshot from the HP manual

And NO VSP is no option here in the moment for the customer.

RE: 802.1X supplicant on access switches for uplink authentication (for security & automation)

AlexN — Fri, 19 Mar 2021 23:06:00 GMT

Gents,

let’s look forward into the future, not back into the past. HP does it because they have nothing else to do, they missed entire fabric play and BTW now are trying to chase it.

Choosing between implementing 802.1x supplicant and Auto-Sensing feature I'd better have latter.

In the picture from HP manual - what is real world use case? Switch A in uncontrolled environment, where anyone can plug/unplug uplink, and concern is that malicious user can gain access to uplink traffic ? But 802.1x doesn’t solve it. Perhaps HP/Aruba lied to customer about it, but in reality I just need little hub between SwA and SwB - and here you go, I have access to all traffic !
What we can do on EXOS to have similar level of protection - LLDP. configure custom LLDP data, and use UPM port to block port unless you see proper string in LLDP.
But it’s a kludge of course, you should use MACSEC if customer is really concerned about security.

RE: 802.1X supplicant on access switches for uplink authentication (for security & automation)

mitchjreyes — Tue, 23 Mar 2021 19:41:00 GMT

Better to use MacSec